Here's a patch to add instructions for using a keydisk to the FAQ, as
promised: https://marc.info/?l=openbsd-bugs&m=150776298218879&w=2
I tried refactoring to reduce the redundancy between the passphrase and
keydisk methods in the FAQ, but it came out more difficult to read, so I
went with being clearer but more verbose.
diff --git faq/faq14.html faq/faq14.html
index 545083781..a4ec26bb5 100644
--- faq/faq14.html
+++ faq/faq14.html
@@ -749,6 +749,146 @@ Which disk is the root disk? ('?' for details) [sd0]
<b>sd1</b>
You will be prompted for the passphrase on startup, but all other operations
should be handled transparently.
+<h4 id="softraidFDEkeydisk">Using a Keydisk</h4>
+
+As an alternative to using a passphrase, its possible to use a key stored on a
+separate disk (i.e. a USB stick) to unlock your encrypted disk. Let's start
+over and this time we'll use a "keydisk":
+
+<p>
+Select (S)hell at the initial prompt.
+
+<blockquote><pre>
+Welcome to the OpenBSD/amd64 X.X installation program.
+(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? <b>s</b>
+</pre></blockquote>
+
+From here, you'll be given a shell within the live environment to manipulate
+the disks.
+For this example, we will install to the <tt>sd0</tt> SATA drive, erasing all
+of its previous contents.
+You may want to write random data to the drive first with something like the
+following:
+
+<blockquote><pre>
+# <b>dd if=/dev/random of=/dev/rsd0c bs=1m</b>
+</pre></blockquote>
+
+This can be a very time-consuming process, depending on the speed of your
+CPU and disk, as well as the size of the disk.
+If you don't write random data to the whole device, it may be possible for an
+adversary to deduce how much space is actually being used.
+
+<p>
+Next, we'll initialize the disk with
+<a href="https://man.openbsd.org/fdisk";>fdisk(8)</a> and create the softraid
+partition with <a href="https://man.openbsd.org/disklabel";>disklabel(8)</a>.
+
+<p>
+If you're booting from MBR, do:
+
+<blockquote><pre>
+# <b>fdisk -iy sd0</b>
+</pre></blockquote>
+
+If you use GPT for UEFI booting, do:
+
+<blockquote><pre>
+# <b>fdisk -iy -g -b 960 sd0</b>
+</pre></blockquote>
+
+Next, create the partition layout:
+
+<blockquote><pre>
+# <b>disklabel -E sd0</b>
+Label editor (enter '?' for help at any prompt)
+> <b>a a</b> <!-- sparc64 users MUST use 'a a' here -->
+offset: [64]
+size: [39825135] <b>*</b>
+FS type: [4.2BSD] <b>RAID</b>
+> <b>w</b>
+> <b>q</b>
+No label changes.
+</pre></blockquote>
+
+We'll use the entire disk, but note that the encrypted device can be
+split up into multiple partitions as if it were a regular hard drive.
+
+<p>
+Next, we'll setup a keydisk. We'll use the <tt>sd1</tt> SATA drive for our
+keydisk in this example, erasing all of its previous contents. Since the
+installer does not have many device nodes by default, we'll make sure the
+<tt>/dev/sd1</tt> and <tt>/dev/sd2</tt> devices are there, because we need
+them for this example.
+
+<blockquote><pre>
+# <b>cd /dev && sh MAKEDEV sd1 sd2</b>
+</pre></blockquote>
+
+The installer expects the keydisk to have room set aside for a copy of the
+boot blocks (too), so if you're booting from MBR, do:
+
+<blockquote><pre>
+# <b>fdisk -iy sd1</b>
+</pre></blockquote>
+
+If you use GPT for UEFI booting, do:
+
+<blockquote><pre>
+# <b>fdisk -iy -g -b 960 sd1</b>
+</pre></blockquote>
+
+Then create the partition layout for the keydisk, with a 1 MB RAID partition
for
+the key data:
+
+<blockquote><pre>
+# <b>disklabel -E sd1</b>
+Label editor (enter '?' for help at any prompt)
+> <b>a a</b> <!-- sparc64 users MUST use 'a a' here -->
+offset: [64]
+size: [1741795] <b>1M</b>
+FS type: [4.2BSD] <b>RAID</b>
+> <b>w</b>
+> <b>q</b>
+No label changes.
+</pre></blockquote>
+
+<p>
+Now we can build the encrypted device on our "a" partition. This time we'll
+use the -k option to use our keydisk instead of a passphrase.
+
+<blockquote><pre>
+# <b>bioctl -c C -k sd1a -l sd0a softraid0</b>
+sd2 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct
fixed
+sd2: 19445MB, 512 bytes/sector, 39824607 sectors
+softraid0: CRYPTO volume attached as sd2
+</pre></blockquote>
+
+You won't be prompted to enter a passphrase (this time), because the keydisk
+was used instead.
+All data written to <tt>sd2</tt> will now be encrypted with AES in XTS mode.
+
+<p>
+As in the previous example, we'll overwrite the first megabyte of our new
+pseudo-device.
+
+<blockquote><pre>
+# <b>dd if=/dev/zero of=/dev/rsd2c bs=1m count=1</b>
+</pre></blockquote>
+
+Type <tt>exit</tt> to return to the main installer, then choose this new
+device as the one for your installation.
+
+<blockquote><pre>
+[...]
+Available disks are: sd0 sd1 sd2.
+Which disk is the root disk? ('?' for details) [sd0] <b>sd2</b>
+</pre></blockquote>
+
+Make sure your keydisk is plugged in at startup, or you'll see error messages
+and be unable to boot. If you lose your keydisk or it gets corrupted, you will
+lose access to your encrypted disk.
+
<h3 id="softraidCrypto">Encrypting external disks</h3>
This section explains how you might set up a cryptographic softraid volume
